T&S is professionalising — but how?

I'm Alice Hunsberger. Trust & Safety Insider is my weekly rundown on the topics, industry trends and workplace strategies that trust and safety professionals need to know about to do their job.

This week, I'm thinking about the intersection (and differences) between Cybersecurity, Privacy, and Safety and wondering what would happen if TrustCon was held in a giant stadium with 40,000 people.

Get in touch if you'd like your questions answered or just want to share your feedback. Here we go! — Alice

Today's edition of T&S Insider is in partnership with Checkstep, the AI content moderation solution for Trust & Safety leaders

It's officially the six month anniversary of the Digital Services Act (happy birthday!).

When we meet with Trust and Safety leaders who are looking to review or build their DSA compliance suite, we always ask them what their biggest challenges are. For many, the answer is writing or reviewing their Statement of Reasons, especially:

• Providing clear and detailed explanations that are both legally compliant and understandable to users.
• Ensuring consistency across decisions to avoid the perception of bias or unfair treatment.
• Balancing transparency with legal and security considerations that make the process complex and resource-intensive.

If you'd like to build or review your Statement of Reasons, we have a number of templates for content moderated by AI, human, or hybrid moderation you’ll find below. Do not hesitate to reach out through our website if you have any questions or need help!

What T&S can learn from Cybersecurity and Privacy – while still keeping its heart

Last week, after being recognised as one of the top woman in Cybersecurity, Australia’s eSafety Commissioner Julie Inman-Grant wrote on LinkedIn about the relationship between "the three legs of the "cyber stool":

“It is […] really important that women who are working in online safety - or combatting a range of personal harms and abuses impacting women and girls disproportionately- is being valued in the context of the “cyber profession.”

Of the three legs of the “cyber stool” for too long safety has trailed security & privacy as core limbs. But if one is weakened, that undermines trust, and the metaphorical stool falls over…” (my emphasis)

She makes a good point. Almost all mature companies have a Chief Security Officer and/or Chief Privacy Officer, but it’s astonishingly rare to have Trust & Safety represented within the C-suite. All three industries focus on protecting users and data, require a deep understanding of technology, and have complex risk frameworks and regulatory oversight.

I hope that we’ll see a rise in Chief Safety (or Trust?) Officers in the future. But what might it take to get there? How can we professionalise while keeping the community and culture that makes the T&S industry unique? And what can we learn from the Security and Privacy industries that have gone before us?

Are we that different after all?

The stereotype of a cybersecurity “white hat” hacker could just as easily be a description of a Trust & Safety professional. Imagine someone hunched over a computer, looking through IP logs, hunting a "bad guy" who is trying to find loopholes in the company's defences. It’s a game of cat-and-mouse; the adversary creating fake accounts as fast as they are blocked, the tech worker using every tool at their disposal to get ahead.

The only difference might be the intent of the bad actor; if they’re trying to compromise user data directly from a company's systems, it’s likely that a cybersecurity pro is on the case. If they’re trying to compromise user data directly from the users themselves, then it’s a T&S issue. As technology has advanced, the adversarial landscape is blurring the lines between the two disciplines even further.

A couple days ago I came across a post on my LinkedIn feed from a former T&S staffer turned Crowdstrike product person showing a giant stadium full of people at the Black Hat conference. The numbers — later estimated to be around 40,000 people — seemed unfathomable. 1,300 people at TrustCon felt like a lot, and here were probably 20 times as many people. But the areas of focus were the same, as Mark wrote:

"At Black Hat, the cyber pros kicked off with a talk about disinformation and election security. There were deep dives about bots, scams, policy, online abuse, ML detection, adversarial threats, and abuse of AI. Many T&S pros would feel right at home. I didn’t miss a beat.”

I mean… these are core Trust & Safety topics! And just as Cybersecurity is looking a lot more like Trust & Safety, the opposite is true as well. T&S conferences nowadays tend to have sessions on safety red teams for generative AI, tabletop exercises for safety risks, and a rise in enterprise software for safety.

Privacy and T&S have much in common too: a focus on protecting user data, a commitment to transparency, and a belief in upholding user rights. Of course, the right to privacy is often at odds with the right to safety, and yet for many people around the world, like LGBTQ+ people in repressive countries, privacy is safety. They're not mutually exclusive.

Forgive my terrible graphic design skills, but I started to throw together a Venn diagram of where Privacy, Security, and Safety overlap:

The three “legs of the cyber stool”, as Inman-Grant called it, are more connected than people realise. Each discipline works towards the same three goals but by tackling different aspects of the same problem and approached from different directions:

• Cybersecurity is there to protect the company’s systems and networks (and, as a result, the users and the data on those networks).
• Privacy is there to protect the data (and, as a result, the users whose data it is, and the company that hosts the data).
• Trust & Safety is there to protect the users (and, as a result, the company and the data).

The same but different

Even though there are so many similarities, the gaps between them — particularly Security and Safety are notable — and worth reflecting on for a moment.

First, the framing. Security is often framed as warfare — for example, defending against attacks and exploiting weaknesses — while Trust & Safety is more orientated around justice; the focus is on fairness, empathy, inclusivity and empathy. I've always thought that the former is more orientated around what we do and the latter is more concerned about what outcomes we want.

Secondly, the values at play. T&S has distinctly female-coded ideals, and, the skills needed to thrive in the profession tend to be female-coded as well: skills like emotional intelligence, compromise, cultural sensitivity, and communication. Further, as Inman-Grant said, the potential harms also disproportionately impact women and girls.

Related sidenote: Sometimes I think that it’s no wonder that, in a male-dominated tech industry (and misogynistic society), that Trust & Safety is minimised as much as it is, even if we have a lot in common with Cybersecurity, and regardless of how technical Trust & Safety work is getting.

Thirdly, a less mature regulatory market. Up until now, safety regulation has lagged well behind after equivalent Cybersecurity and Privacy laws. This has led to companies reacting to issues as they arise and a greater burden on companies to develop their own policies. However, the Digital Services Act and other regulation has arrived and, as regulators start to bare their teeth, it will be harder for companies to dismiss so-called “fluffy” ideals when there are risks to the company and serious money is at stake. We’ve seen this with Privacy since the introduction of GDPR.

Going pro

In the same way the Cybersecurity industry has embraced its old-school hacker origins (have you seen the DEFCON website?!), we — as safety professionals — need a similar conversation about what we want our profession to be, what it means to be a T&S professional and how want to be seen by the wider public.

For example, we need more training programs and courses to equip people to break into the industry but do we want to be swimming in professional certifications and an alphabet soup after our names? The thrilling thing about Trust & Safety work is that it touches almost everyone on the planet in the most fundamental way. Perhaps making the club more exclusive isn't the right way forward? I'd be interested to know what you think.

I’m hoping for future in which 40,000 people attend TrustCon and where a sizeable number of those are civil society representatives, youth activists, and human rights experts. I believe there can be room for safety in the C-Suite (aka the most exclusive of places) while still embracing inclusivity and centring the experiences of the most vulnerable among us. I believe that we can “go professional” without losing our hearts. But we can't lose sight of the ideals of humanity and justice and fairness that got us here in the first place.

Also worth reading

The many reasons why NCMEC's Board is Failing its Mission, From a NCMEC Insider (TechDirt)
Why? An explosive look at the inside politics on NCMEC's Board, and how they pick and choose which kids need protecting.

Facebook creators have a new way to avoid 'jail' (TechCrunch)
Why? I love to see user education and prosocial norm-setting instead of purely punitive approaches to safety.

What's with all these 'wrong number' texts? (Max Read)
Why? This won't be anything new for T&S pros familiar with financial grooming, but this is an entertaining read that you can forward to your family.

The Vermont miracle: How one local platform is rewriting the rules of social media (New_Public)
Why? A social media platform that is "useful, encourages civic engagement, and actually strengthens communities." Part of this is clearly the design of the forum itself (every post is time-delayed to prevent rage-posting and provide time for human moderation), but I also wonder if part of the reason why discourse on FPF is so civil is due to Vermont's unique political and social landscape which still has an old-school respectful vibe to it. Did the chicken or egg come first? (FPF was also recently featured in the Washington Post).